core_test.go

package jess

import (
	"errors"
	"fmt"
	"strings"
	"testing"
	"time"

	"github.com/safing/jess/tools"
)

const (
	testData1 = "The quick brown fox jumps over the lazy dog. "
	testData2 = `Tempora aut rerum ut esse illo. Aut quo qui rem consequuntur quia suscipit nihil labore. Quisquam et corrupti exercitationem nesciunt. Ut nisi voluptas natus.
	Nihil ipsum maxime necessitatibus distinctio velit. Debitis perferendis suscipit ut. Aut illum blanditiis ut voluptates qui.
	Consequatur cupiditate itaque qui quam. Sed qui velit et aperiam voluptatum reprehenderit aut voluptas. Eaque facere sit exercitationem dolore quos eum. Consectetur est voluptas nemo dolor rerum quae. Nisi sed velit quasi alias assumenda.
	Commodi eos asperiores fugiat molestiae ea eos eligendi. Explicabo illo quisquam et ut incidunt libero vel eius. Libero accusamus corporis cum rem. Voluptas molestias corporis veritatis sapiente nihil voluptatibus. Delectus sit qui iste ut vero. Occaecati reiciendis ex sed consequuntur dolor et.
	Qui voluptates quod omnis rerum. Soluta dolore quia eius quo similique accusamus. Quisquam fugiat sed voluptatibus eos earum sed. Numquam quia at commodi aut esse ducimus enim.
	Enim nihil architecto architecto. Reprehenderit at assumenda labore. Et ut sed ut inventore tenetur autem. Iusto et neque ab dolores eum. Praesentium amet sint ut voluptate impedit sit.
	A accusantium ullam voluptatibus. Adipisci architecto minus dolore tenetur eos. Id illum quo neque laborum numquam laborum animi libero.
	Debitis voluptatem non aut ex. Et et quis qui aut fugit accusantium. Est dolor quia accusantium culpa.
	Facere iste dolor a qui. Earum aut facilis maxime repudiandae magnam. Laborum illum distinctio quo libero corrupti maxime. Eum nam officiis culpa nobis.
	Et repellat qui ut quaerat error explicabo. Distinctio repudiandae sit dolores nam at. Suscipit aliquam alias ullam id.`

	testPassword1 = "Jt0gYfUh0mMsWH1jYhOI2SXQ8rKMmu38pkBgDa6p8YlOlae" //nolint:gosec
	testPassword2 = "6+cYgtpM6CYjApRvc+ayx4t4zXJ9PSr80ykp3jmwagATaw4" //nolint:gosec

	testHasher = "SHA2-256"
)

var (
	testKey1 []byte
	testKey2 []byte

	testTrustStore = NewMemTrustStore()

	RunComprehensiveTests       string
	runComprehensiveTestsActive bool

	RunTestsInDebugStyle       string
	runTestsInDebugStyleActive bool

	debugStyleMaxErrors = 10
	debugStyleErrorCnt  int
)

func tErrorf(t *testing.T, msg string, args ...interface{}) {
	t.Helper()

	t.Errorf(msg, args...)
	if runTestsInDebugStyleActive {
		debugStyleErrorCnt++
		if debugStyleErrorCnt >= debugStyleMaxErrors {
			t.Skipf("reached %d errors, ending early", debugStyleErrorCnt)
		}
	}
}

func init() {
	// init test key
	var err error
	testKey1, err = RandomBytes(defaultSymmetricKeySize)
	if err != nil {
		panic(err)
	}
	testKey2, err = RandomBytes(defaultSymmetricKeySize)
	if err != nil {
		panic(err)
	}

	// init trust store
	err = testTrustStore.StoreSignet(&Signet{
		Version: 1,
		ID:      "test-key-1",
		Scheme:  SignetSchemeKey,
		Key:     testKey1,
	})
	if err != nil {
		panic(err)
	}
	err = testTrustStore.StoreSignet(&Signet{
		Version: 1,
		ID:      "test-key-2",
		Scheme:  SignetSchemeKey,
		Key:     testKey2,
	})
	if err != nil {
		panic(err)
	}

	err = testTrustStore.StoreSignet(&Signet{
		Version: 1,
		ID:      "test-pw-1",
		Scheme:  SignetSchemePassword,
		Key:     []byte(testPassword1),
	})
	if err != nil {
		panic(err)
	}
	err = testTrustStore.StoreSignet(&Signet{
		Version: 1,
		ID:      "test-pw-2",
		Scheme:  SignetSchemePassword,
		Key:     []byte(testPassword2),
	})
	if err != nil {
		panic(err)
	}

	// lower defaults for better test speed
	defaultSymmetricKeySize = 16
	defaultSecurityLevel = 128

	// init special test config
	if RunComprehensiveTests == "true" {
		runComprehensiveTestsActive = true
	}
	if RunTestsInDebugStyle == "true" {
		runTestsInDebugStyleActive = true
	}
}

func TestCoreBasic(t *testing.T) {
	t.Parallel()

	for _, suite := range Suites() {
		testStorage(t, suite)
	}
}

// TestCoreAllCombinations tests all tools in all combinations and every tool
// should be tested when placed before and after every other tool.
func TestCoreAllCombinations(t *testing.T) {
	t.Parallel()

	// skip in short tests and when not running comprehensive
	if testing.Short() || !runComprehensiveTestsActive {
		return
	}
	// run this test with
	// go test -timeout 10m github.com/safing/jess -v -count=1 -ldflags "-X github.com/safing/jess.RunComprehensiveTests=true" -run ^TestCoreAllCombinations$

	// add all tools
	var all []string
	if runTestsInDebugStyleActive {
		for _, tool := range tools.AsList() {
			all = append(all, tool.Info.Name)
		}
	} else {
		for _, tool := range tools.AsMap() {
			all = append(all, tool.Info.Name)
		}
	}

	// add hashers to tools that need them
	for i := 0; i < len(all); i++ {
		// get tool
		tool, err := tools.Get(all[i])
		if err != nil {
			t.Fatalf("failed to get tool %s: %s", all[i], err)
			return
		}

		// add hasher if needed
		if tool.Info.HasOption(tools.OptionNeedsManagedHasher) ||
			tool.Info.HasOption(tools.OptionNeedsDedicatedHasher) {
			all[i] = fmt.Sprintf("%s(%s)", all[i], testHasher)
		}
	}

	// compute all combinations
	combinations := generateCombinations(all)
	combinationsTested := 0
	combinationsDetectedInvalid := 0

	if runComprehensiveTestsActive {
		fmt.Println("running comprehensive tests, printing one dot per 1000 combinations tested.")
	}

	for _, testTools := range combinations {
		// >4 tools && !comprehensive: don't test
		if !runComprehensiveTestsActive && len(testTools) > 4 {
			continue
		}

		if len(testTools) == 4 &&
			runComprehensiveTestsActive {
			// ==4 tools && comprehensive: rotate

			// if we want to test before/after differences, we need to use at least 4 tools, because if we have 2 key exchanges, they need at least an aead cipher and key derivation tool in order to work.

			// rotate to test before/after differences
			for i := 0; i < len(testTools); i++ {
				detectedInvalid := testStorage(t, &Suite{Tools: testTools})
				combinationsTested++
				if detectedInvalid {
					combinationsDetectedInvalid++
				}
				if runComprehensiveTestsActive && combinationsTested%1000 == 0 {
					fmt.Print(".")
				}

				// rotate
				testTools = append(testTools, testTools[0])[1:]
			}
		} else {
			// test this order only
			detectedInvalid := testStorage(t, &Suite{Tools: testTools})
			combinationsTested++
			if detectedInvalid {
				combinationsDetectedInvalid++
			}
			if runComprehensiveTestsActive && combinationsTested%1000 == 0 {
				fmt.Print(".")
			}
		}
	}

	if runComprehensiveTestsActive {
		fmt.Println("\n\nfinished.")
	}

	t.Logf("tested %d tool combinations", combinationsTested)
	t.Logf("of these, %d were successfully detected as invalid", combinationsDetectedInvalid)
}

func testStorage(t *testing.T, suite *Suite) (detectedInvalid bool) { //nolint:thelper
	t.Logf("testing storage with %s", suite.ID)

	e, err := setupEnvelopeAndTrustStore(t, suite)
	if err != nil {
		tErrorf(t, "%s failed: %s", suite.ID, err)
		return false
	}
	if e == nil {
		return true
	}

	// test 1: close

	s, err := e.Correspondence(testTrustStore)
	if err != nil {
		tErrorf(t, "%s failed to init session (1): %s", suite.ID, err)
		return false
	}

	letter, err := s.Close([]byte(testData1))
	if err != nil {
		tErrorf(t, "%s failed to close (1): %s", suite.ID, err)
		return false
	}

	msg, err := letter.ToJSON()
	if err != nil {
		tErrorf(t, "%s failed to json encode (1): %s", suite.ID, err)
		return false
	}

	// test 2: open

	letter2, err := LetterFromJSON(msg)
	if err != nil {
		tErrorf(t, "%s failed to json decode (2): %s", suite.ID, err)
		return false
	}

	origData2, err := letter2.Open(e.suite.Provides, testTrustStore)
	if err != nil {
		tErrorf(t, "%s failed to open (2): %s", suite.ID, err)
		return false
	}
	if string(origData2) != testData1 {
		tErrorf(t, "%s original data mismatch (2): %s", suite.ID, string(origData2))
		return false
	}

	// test 2.1: verify

	letter21, err := LetterFromJSON(msg)
	if err != nil {
		tErrorf(t, "%s failed to json decode (2): %s", suite.ID, err)
		return false
	}

	if len(letter21.Signatures) > 0 {
		err = letter21.Verify(e.suite.Provides, testTrustStore)
		if err != nil {
			tErrorf(t, "%s failed to verify (2): %s", suite.ID, err)
			return false
		}
	}

	return false
}

//nolint:gocognit,gocyclo
func setupEnvelopeAndTrustStore(t *testing.T, suite *Suite) (*Envelope, error) {
	t.Helper()

	// check if suite is registered
	if suite.ID == "" {
		// register as test suite
		suite.ID = fmt.Sprintf("__unit_test_suite__" + strings.Join(suite.Tools, "__"))
		registerSuite(suite)
	}

	// create envelope baseline
	e := NewUnconfiguredEnvelope()
	e.SuiteID = suite.ID
	e.suite = suite

	// check vars
	keyDerPresent := false
	passDerPresent := false
	asyncKeyEstablishmentPresent := false

	// process tools and setup envelope
	for _, toolID := range e.suite.Tools {

		// remove hasher argument for now
		if strings.Contains(toolID, "(") {
			toolID = strings.Split(toolID, "(")[0]
		}

		// get tool
		tool, err := tools.Get(toolID)
		if err != nil {
			return nil, err
		}

		// generate needed signets
		switch tool.Info.Purpose {
		case tools.PurposePassDerivation:
			pw, err := getOrMakeSignet(t, nil, false, "test-pw-1")
			if err != nil {
				return nil, err
			}
			e.Secrets = append(e.Secrets, pw)

			// add a second one!
			if len(suite.Tools) <= 2 {
				pw1, err := getOrMakeSignet(t, nil, false, "test-pw-2")
				if err != nil {
					return nil, err
				}
				e.Secrets = append(e.Secrets, pw1)
			}

		case tools.PurposeKeyExchange, tools.PurposeKeyEncapsulation:
			asyncKeyEstablishmentPresent = true

			recipient, err := getOrMakeSignet(t, tool.StaticLogic, true, fmt.Sprintf("test-%s", tool.Info.Name))
			if err != nil {
				return nil, err
			}
			e.Recipients = append(e.Recipients, recipient)

		case tools.PurposeSigning:
			sender, err := getOrMakeSignet(t, tool.StaticLogic, false, fmt.Sprintf("test-%s", tool.Info.Name))
			if err != nil {
				return nil, err
			}
			e.Senders = append(e.Senders, sender)
		}

		// add required requirements
		switch tool.Info.Purpose {
		case tools.PurposeKeyDerivation:
			keyDerPresent = true
		case tools.PurposePassDerivation:
			passDerPresent = true
			// add passderivation requirements later, as it is a bit special
		case tools.PurposeKeyExchange:
			e.suite.Provides.Add(RecipientAuthentication)
		case tools.PurposeKeyEncapsulation:
			e.suite.Provides.Add(RecipientAuthentication)
		case tools.PurposeSigning:
			e.suite.Provides.Add(Integrity)
			e.suite.Provides.Add(SenderAuthentication)
		case tools.PurposeIntegratedCipher:
			e.suite.Provides.Add(Confidentiality)
			e.suite.Provides.Add(Integrity)
		case tools.PurposeCipher:
			e.suite.Provides.Add(Confidentiality)
		case tools.PurposeMAC:
			e.suite.Provides.Add(Integrity)
		}
	}

	// if invalid: test if toolset is recognized as invalid

	// no requirements -> only "meta" tools (kdf, pass derivation)
	if e.suite.Provides.Empty() {
		return nil, testInvalidToolset(e, "there are only meta tools in toolset")
	}

	// recipient auth, but no confidentiality? nope.
	if e.suite.Provides.Has(RecipientAuthentication) &&
		!e.suite.Provides.Has(Confidentiality) {
		return nil, testInvalidToolset(e, "authenticating the recipient without using confidentiality does not make sense")
	}

	// check if we are missing key derivation - this is only ok if we are merely signing
	if !keyDerPresent && len(e.Senders) != len(e.suite.Tools) {
		return nil, testInvalidToolset(e, "omitting a key derivation tool is only allowed when merely signing")
	}

	// check if we have key derivation, but not need it
	if keyDerPresent &&
		(!e.suite.Provides.Has(Confidentiality) &&
			!e.suite.Provides.Has(Integrity)) {
		return nil, testInvalidToolset(e, "a key derivation tool was specified, albeit none is needed")
	}

	// add passderivation here, as to easier handle the other cases
	if passDerPresent {
		e.suite.Provides.Add(SenderAuthentication)
		e.suite.Provides.Add(RecipientAuthentication)

		// need Confidentiality for this to make sense
		if !e.suite.Provides.Has(Confidentiality) {
			return nil, testInvalidToolset(e, "using a password without confidentiality does not make sense")
		}
	}

	if e.suite.Provides.Has(Confidentiality) &&
		!e.suite.Provides.Has(Integrity) {
		return nil, testInvalidToolset(e, "having confidentiality without integrity does not make sense")
	}

	// add static key if needed
	if !asyncKeyEstablishmentPresent && !passDerPresent && keyDerPresent {
		e.suite.Provides.Add(SenderAuthentication)
		e.suite.Provides.Add(RecipientAuthentication)

		key, err := getOrMakeSignet(t, nil, false, "test-key-1")
		if err != nil {
			return nil, err
		}
		e.Secrets = append(e.Secrets, key)

		// add a second one!
		if len(suite.Tools) <= 2 {
			key2, err := getOrMakeSignet(t, nil, false, "test-key-2")
			if err != nil {
				return nil, err
			}
			e.Secrets = append(e.Secrets, key2)
		}
	}

	return e, nil
}

func testInvalidToolset(e *Envelope, whyInvalid string) error {
	if e.Check(testTrustStore) == nil {
		return fmt.Errorf("passed check although %s", whyInvalid)
	}

	return nil
}

func getOrMakeSignet(t *testing.T, tool tools.ToolLogic, recipient bool, signetID string) (*Signet, error) {
	t.Helper()

	// check if signet already exists
	signet, err := testTrustStore.GetSignet(signetID, recipient)
	if err == nil {
		return signet, nil
	}

	// handle special cases
	if tool == nil {
		return nil, errors.New("bad parameters")
	}

	// create new signet
	newSignet := NewSignetBase(tool.Definition())
	newSignet.ID = signetID
	// generate signet and log time taken
	start := time.Now()
	err = tool.GenerateKey(newSignet)
	if err != nil {
		return nil, err
	}
	t.Logf("generated %s signet %s in %s", newSignet.Scheme, newSignet.ID, time.Since(start))

	// store signet
	err = testTrustStore.StoreSignet(newSignet)
	if err != nil {
		return nil, err
	}

	// store recipient
	newRcpt, err := newSignet.AsRecipient()
	if err != nil {
		return nil, err
	}
	err = testTrustStore.StoreSignet(newRcpt)
	if err != nil {
		return nil, err
	}

	// return
	if recipient {
		return newRcpt, nil
	}
	return newSignet, nil
}

// generateCombinations returns all possible combinations of the given []string slice.
//
//	Forked from https://github.com/mxschmitt/golang-combinations/blob/a887187146560effd2677e987b069262f356297f/combinations.go
//	Copyright (c) 2018 Max Schmitt,
//	MIT License.
func generateCombinations(set []string) (subsets [][]string) {
	length := uint(len(set))

	// Go through all possible combinations of objects
	// from 1 (only first object in subset) to 2^length (all objects in subset)
	for subsetBits := 1; subsetBits < (1 << length); subsetBits++ {
		var subset []string

		for object := uint(0); object < length; object++ {
			// checks if object is contained in subset
			// by checking if bit 'object' is set in subsetBits
			if (subsetBits>>object)&1 == 1 {
				// add object to subset
				subset = append(subset, set[object])
			}
		}
		// add subset to subsets
		subsets = append(subsets, subset)
	}
	return subsets
}